The resolution of two sanctions-related investigations over the last month by both the Financial Conduct Authority (FCA) and the Office of Financial Sanctions Implementation (OFSI) could signal the start of the anticipated increase in UK enforcement in respect of failings relating to financial sanctions systems and controls (in the case of the regulated sector) and breaches of the Russia (Sanctions) (EU) Regulations 2019 (the Russia Regulations).  While there is a substantial contrast between the FCA’s £29 million fine and OFSI’s £15,000 penalty, both enforcement actions demonstrate the UK’s commitment to pursue compliance failings and breaches of financial sanctions when they occur.

In relation to the FCA fine of £29 million imposed on a digital ‘challenger bank’ for financial crime systems and controls failures, the Final Notice states that the FCA identified “serious concerns” with the bank’s anti-money laundering (AML) and financial sanctions framework.  As a result, the bank agreed to commence an AML Enhancement Plan and entered into a voluntary requirement (VREQ), agreeing not to open new accounts for high-risk customers while it improved its AML control framework.  However, in breach of the VREQ, the bank opened over 54,000 accounts for 49,000 high-risk customers between September 2021 and November 2023.  This included 294 customers that had previously been exited for financial crime reasons, of which 161 had previously been subject to suspicious activity reports.

The FCA also found: (i) systematic failures in the bank’s assessment of financial sanctions risk; (ii) inadequate policies and procedures relating to sanctions screening; and (iii) no formal mechanism for testing the configuration of its financial sanctions screening systems.  Consequently, customers were only screened against individuals on the Consolidated List with UK citizenship or UK residency.  This created a material risk, as Designated Persons were able to open accounts or continue to maintain accounts.  According to the FCA, the bank’s “financial sanction screening controls were shockingly lax. It left the financial system wide open to criminals and those subject to sanctions”.

The case highlights the importance of having a strong financial sanctions framework in place, in addition to AML controls, which has been more of the focus of the FCA and enforcement in recent years.

In relation to the OFSI penalty of £15,000 imposed on a London-based concierge company,  the breaches of the Russia Regulations concerned providing services to a sanctioned individual.  The conduct involved 26 payments totalling just under £15,500 which were made or received by the company between 2022 and 2023 in connection with property management services provided to a person designated as a target of an asset freeze under the Russia Regulations.

The company also breached reporting requirements by failing to report payments to water and utilities companies.  OFSI considered this, and the cumulative total and the repeated nature of the payments, to be aggravating factors when considering the extent of the penalty to be imposed.

Key takeaways

  • Failure to disclose breaches – the FCA are increasingly using VREQs and ‘own-initiative requirement’ powers (OIREQs) to impose a wide range of requirements.  It is imperative that a firm complies with such requirements until they are varied or cancelled.  A key failing was that the bank did not have a formal monitoring programme and the FCA noted its “disappointment” that the bank did not immediately report the initial VREQ breaches.  For more on this topic, please see our article here.
  • Skills, knowledge and experience – In respect of the OFSI penalty, the company was unaware of its sanctions obligations and its knowledge of sanctions risk was, by its own admission, extremely limited.  OFSI highlighted the importance for firms to understand their exposure to sanctions risk, educate themselves on the risks, take appropriate action to address it and seek professional advice where necessary.

    Similarly, the FCA considered the lack of AML skills and experience of the bank’s senior management to be a key contributing factor to the VREQ breach.  According to the FCA, the senior management team was inexperienced when dealing with significant regulatory changes and lacked awareness of the impact of VREQs.
  • Pace of investigations – Therese Chambers, Joint Executive Director of Enforcement and Market Oversight at the FCA, recently delivered a speech in respect of the FCA’sfocus on the pace of its enforcement investigations.  This renewed focus was seemingly demonstrated as it took 14 months to achieve an outcome, compared to an average of 42 months for cases in the previous reporting period.